CVE-2024-6049

EUVD-2024-47207
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.
Triple Dot
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
lawovsm_ltc_timesync
𝑥
< 4.5.6.0
ADP
Common Weakness Enumeration
References
https://lawo.com/lawo-downloads/
https://r.sec-consult.com/lawo
http://seclists.org/fulldisclosure/2024/Oct/7